Specially Crafted Zip Files Used To Bypass Secure Email Gateways

Specially Crafted Zip Files Used To Bypass Secure Email Gateways (Nov 7, 2019)

Researchers at Trustwave have identified a new technique being used to archive malware. Normally being sent as 7z, rar, or zip files, the spam campaign analyzed by Trustwave contains a zip within a zip to deliver Nanocore malware. Utilizing this method means malicious emails can bypass email security. The campaign sends an email pretending to be from USCO Logistics with a zip appearing to be to shipping documents. The zip file however has a much larger file size than the uncompressed content, that when analyzed shows two ZIP structures. The first ZIP contains a decoy image with the second ZIP containing the Nanocore Remote Access Trojan (RAT).

Recommendation: Any file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.